SharePoint

In most organizations, you will have the employees leave at some point. In most cases, you will you probably want to access and protect their data. Data such as documents and emails and then transfer ownership to a manager or new employee. Performing a dump of the users home directories and contents of a hard drive is common practice, like that of exporting their PST from Outlook or even directly out of Office 365’s compliance center. Often overlooked is the contents of the users OneDrive.

OneDrive for Business may have been used to not only store and share documents but an archive space for the employee. Please note that OneDrive offers the user the ability to keep its contents synced with the user’s computer or just in-cloud. So the traditional method of backing up the computer may not always apply in this area.

I suggest taking the following steps to gain access and download the contents:

The bad guys are at it once again and now have a new slick way of stealing your login credentials, by sending you an invite via email to open a SharePoint document. The link(s) takes you to an actual SharePoint page where you will see a OneDrive prompt.

This prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.

Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.

The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.

You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.

You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

By default, Office 365 resources for your users are located in the same geo as your Azure AD tenant. So, if your tenant is located in North America, then the users’ Exchange mailboxes, OneDrive is also located in North America. For a multinational organization, this might not be optimal for various reasons.

Reasons such as

Performance and

Data residency requirements for data-at-rest

Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 data-center geographies (geos) and gives customers the ability to store their Exchange and OneDrive data, at-rest, on a per-user basis, in their chosen geos

By setting the attribute preferredDataLocation, you can define a user’s geo

As an admin you can use the Content search located under Security & Compliance to search for and delete email message from select or all mailbox in your organization. This is particularly useful to remove high-risk emails such as:

It seems that the bad guys are at it once again with an attempt to collect information by phishing credentials from those of us using Office 365 for corporate emails. The characteristics of this particular attack the hackers intention is to deceive Office 365 users into providing their login credentials”.

The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:

Send emails to other users in the victim’s address book, asking them for anything, sending fake invoices, sending more phishing emails, etc.

One of the characteristic of this recent attack is an email being sent with an embedded image which resembles an Microsoft Office Word document containing a link back to a site with a fake Office 365 logon page. In addition to this the site URL ends in php?userid= syntax.

I have provided the following YouTube video to illustrate the interaction of the fake Office 365 logon page.

It’s an important part of your responsibility to be cautious when accessing emails even from known senders to ensure its legitimate by reviewing the email to ensure that its legitimate.

If in doubt do not open the email and reach out to the sender to ensure they sent you the email. If you self-determine an email to be suspicious immediately report incidents as soon as they happen.

Here are a few guidelines below that could be followed. Please review:

Check the sender.

Sometimes, cybercriminals and hackers will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be suspicious.

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be suspicious.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be suspicious.

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be suspicious.

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be suspicious.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be suspicious.

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be suspicious.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings.